Comparison of BC OIPC’s Submissions on PIPA reform and OPC Submission on C-11

Background: On December 9, 2020, the Legislative Assembly of British Columbia agreed to appoint a Special Committee to review British Columbia’s (BC’s) Personal Information Protection Act (PIPA).^{Footnote 1} The BC Office of the Information and Privacy Commissioner (OIPC) submitted three documents to the Special Committee, namely a submission on PIPA reform,^{Footnote 2} a supplementary submission which discusses their original recommendations in the context of Bill C-11, and a chart comparing key recommendations on PIPA reform with Bill C-11.

Overview: The OIPC’s submission makes 12 recommendations for PIPA reform on: mandatory breach reporting, service providers, consent, automated decision-making, the right to be forgotten, data portability, administrative monetary penalties (AMPs), compliance agreements, regulatory cooperation and information sharing, oversight powers, PIPA’s relationship with PIPEDA, and privileged information.

Overall, the OIPC’s recommendations align with our recommendations for amendments to C-11. In some areas, they strongly align (eg: on the Tribunal/AMPs, automated decision making, data portability, some of the consent recommendations). In other areas, we go further than their recommendation (eg: on the “Right to be Forgotten”). Some of their recommendations would align PIPA more closely with PIPEDA (eg: requiring mandatory breach reporting). In these, and other areas, our recommendations are more specific, where theirs are more general. In very few areas, they make recommendations that we do not (eg: requiring written notice for consent and requiring that notice be provided separate from other legal terms).

	Bill C-11	BC OIPC Submission on PIPA	OPC Submission on C-11	Alignment
1	Mandatory Breach Reporting The CPPA requires organizations to report to the Commissioner any breach of security safeguards that creates a real risk of significant harm to an individual and to notify effected individuals.	OIPC recommends that PIPA include mandatory breach reporting requirements, including notifying both individuals and the Commissioner when there is a real risk of significant harm. The OIPC emphasizes alignment with PIPEDA and Alberta PIPA. They also recommend including authority for the Commissioner to require an organization to notify affected individuals where the organization has not done so. Lastly, the OIPC recommends that PIPA contain requirements relating to the timing of notice, the contents of notices, supporting information that must be provided to the Commissioner, and record-keeping duties for organization.	Because Bill C-11 preserves the notification and reporting requirements currently found in PIPEDA, our recommendation focuses on the timing of breach reporting, specifically that the report be made “without unreasonable delay, but no more than 7 calendar days, after the organization becomes aware of the breach”.	The OIPC submission aligns with our recommendation, though ours is more narrow and specific.
2	Service Providers The CPPA requires organizations to ensure, by contract or otherwise, that service providers provide substantially the same protection as that which the organization is required to provide under the Act.	The OIPC recommends that PIPA be amended to state that organizations are responsible for the personal information they transfer to a third party for processing or for providing services to or on behalf of the transferring organization; and that organizations must use contractual or other means to ensure compliance with PIPA, or to provide a comparable level of protection.	We believe the overall scheme for service providers under s. 11 of the CPPA is “reasonable”. However, we find that in certain areas additional details or amendments would be beneficial. For instance, provisions that are specific to information “transferred” for processing are problematic in an environment where service providers may potentially collect personal information on behalf of another organization. Our submission criticizes the CPPA for not distinguishing between domestic and international service providers and recommends that, among other things, the organizational requirements regarding trans-border data flows be set out explicitly and separately.	The OIPC submission generally aligns with our recommendations regarding domestic service providers.
3	Consent Requirements Relevant Provisions: valid consent, s 15(3) form of consent, s 15(4) exceptions to consent, ss 18-39	The OIPC recommends that PIPA be amended to: Require organizations to give notice in writing to ensure that individuals understand what their personal information will be used for, unless consent is implied. Require organizations to provide comprehensive, specific, clear and plain notice of all purposes for which individuals’ personal information will be collected, used and disclosed, such that it is reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. Require organizations to provide notice separate from other legal terms, and to assist any individual to understand what they are being asked to agree to if the individual asks. Exceptions to Consent The OIPC states that the CPPA’s express consent requirements are “close in spirit” to their consent-related recommendations for PIPA,Footnote 3 however they have “serious reservations” about the CPPA’s exceptions for consent. The OIPC states that the new consent exceptions under the CPPA are overly broad, ambiguous, dispense with individual control, and/or eliminate transparency. The OIPC urges the Special Committee to not recommend the adoption of the CPPA’s new consent exemptions and to recommend only that the government monitor the progress of the CPPA on this issue. They also recommend affirming individual control through consent as a core principle of PIPA. As examples of exceptions that are too broad the OIPC mention that organizations will be able to use de-identified information for internal research and development, the exception for “business activities” including preventing or reducing “commercial risk”, and where the organization does not have a direct relationship with the individual.	We recommend that the CPPA include the “understanding requirement”, that the individual’s consent is valid only if it provides the individual with certain information, in a manner such that it is reasonable to expect that the individual would understand the nature, purpose and consequences of the intended collection, use or disclosure. We also recommend that organizations be required to present the information in an intelligible and easily accessible format, using clear and plain language. The OPC does not recommend that organizations give notice in writing to individuals, to provide notice separate from other legal terms or to assist individuals in their understanding. Exceptions to Consent Our submission emphasizes that it is critical that the exceptions to consent be defined clearly and be within the expectations of an individual. We make recommendations concerning the exceptions for an activity that prevents or reduces the organization’s “commercial risk”, and when obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual. For the former, we recommend that the scope of the “commercial risk” exception be limited. For the latter, we recommend that the paragraph be repealed, and that either: Any legitimate commercial interests which would have been enabled by paragraph 18(2)(e) be authorized via an explicit and knowable exception to consent; or, A legitimate commercial interests exception to consent be introduced if accompanied by the introduction of a rights-based regime and pre-conditions such as the conduct of a PIA and a balancing test, and if monitoring of its application was possible through proactive compliance checks by the OPC.	Some aspects of our recommendations are aligned (eg: including the “understanding requirement”, and the position by both offices that some of the exceptions are too broad). However, our recommendations differ where the BC OIPC recommends requiring notice in writing and separate from other legal terms. The BC OIPC also urges the Special Committee not to recommend the adoption of C-11’s new exceptions to consent and to monitor the progress of the Bill, while the OPC is seeking targeted amendments or removal of specific exceptions.
4	Automated Decision Making The CPPA requires organizations to make available a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have significant impacts on them. As well, organizations must, on request, provide the individual with an explanation and how the personal information was obtained.	The OIPC states that the AI provisions in the CPPA fall short of what is necessary, since the CPPA only requires organizations to provide a “general account” of their use of AI in their policies and procedures, including when its use could have a significant impact on individuals. These provisions run the risk of important information being buried in standard transparency disclosure statements or lacking case-specific details that individuals reasonably need to protect privacy and other rights. Instead of adopting the approach to AI proposed in the CPPA, the OIPC reaffirmed their recommendation on AI from a previous submission which includes amending PIPA to require an organization using automated processing to: notify an individual that automated processing will be used to make a decision about them; on request, disclose the reasons and criteria used; and receive objections from individuals to the use of automated processing by someone within the organization that has the authority to review and change the decision.	We recommend that a standard for the level of explanation required under the CPPA be enhanced to allow individuals to understand: the nature of the decision they are subject to and the relevant personal information relied upon, and the rules that define the processing and the decision’s principal characteristics. Where trade secrets prevent such an explanation from being provided, that at least the following be disclosed: (i) the type of personal information collected or used, (ii) why the information is relevant, and (iii) its likely impact on the individual. Additionally, we recommend that a right to contest automated decisions be included in the CPPA.	OIPC submission generally aligns with our recommendations.
5	Right to be Forgotten Organizations must dispose of personal information that they have collected from the individual upon written request from the individual (subject to exceptions).	The OIPC recommends the enactment of a positive right for individuals to require the disposal of their personal information (as opposed to PIPA’s current “passive” duty for organizations to destroy personal information or render it unidentifiable when the purpose is no longer served by its retention). The OIPC further recommends that the BC government continue to monitor developments in the area of the right to be forgotten, to ensure that PIPA continues to protect individuals from the impact of use or disclosure of outdated, inaccurate or incomplete personal information (including through indexing by internet search engines).	We support the inclusion of the express ability for individuals to request the deletion of personal information, but find it unnecessarily limited in scope, given subsection 55(1)’s reference only to information collected from the individual. We recommend it be expanded to include all personal information held by an organization about the individual, subject to consideration of additional reasons for refusal. We also recommend that Parliament enact a clear and explicit right with respect to the de-indexing and/or removal of personal information from search results and other online sources.	The OIPC’s recommendations align with ours, though ours go further in advocating for an explicit right to de-indexing and an expansion to the right to request deletion.
6	Right to Data Portability Upon request, organizations must disclose personal information collected from an individual to an organization designated by the individual, if both are subject to a data mobility framework provided under the regulations.	The OIPC recommends that PIPA be amended to give individuals the right to obtain their own electronic personal information from an organization in a structured, commonly used, machine-readable format, at no expense to the individual. Organizations should also be required to transfer, upon request, personal information to an organization that the individual designates if it is technically feasible to do so without undue cost to the organization (subject to such as whether it would interfere with a law enforcement matter or prejudice the legal rights of the organization). The OIPC acknowledges that the BC government will likely need to work closely with the federal government to seek harmonization between the CPPA regulations for a data portability framework and PIPA’s provisions on this issue.	Overall, the OPC supports the introduction of data mobility provisions in the CPPA; however, we recommend certain amendments to better align the Bill with international models, including: that it apply to all personal information about an individual, including derived or inferred information, that a clear consultative, advisory or approval role be established for the OPC with respect to data mobility frameworks.	The OIPC’s recommendations generally align with ours, although they offer more specific recommendations (eg: structured, commonly-used, machine-readable format, at no expense) while the CPPA’s model will be largely determined by regulations.
7	Administrative Monetary Penalties (AMPs) Under the CPPA, if the Commissioner finds that an organization has contravened certain provisions, the Commissioner must decide whether to recommend that a penalty be imposed on the organization by the Tribunal, considering certain factors.	While the OIPC calls for a significantly enhanced enforcement framework, including the ability for the Commissioner to impose AMPs, the OIPC does not support the CPPA’s approach to the imposition of AMPs through the creation of a new statutory tribunal.Footnote 4 The OIPC states “[the] creation of a new body to discharge this role is unprecedented in the Canadian privacy oversight world and in the EU context… without commenting on this policy choice in the federal context, this model absolutely should not be followed in British Columbia.”Footnote 5 The OIPC recommends the Commissioner be able to issue AMPs, as the OIPC already has extensive experience administering AMPs under another ActFootnote 6 and given “there is no case to be made that such a step is necessary in terms of institutional design or necessity in this province”.Footnote 7	We strongly recommend that the Personal Information and Data Protection Tribunal not be created and that the OPC be granted the authority to impose AMPs at the conclusion of inquiries. We recommend that the CPPA be amended to make the range of violations for which AMPs may be imposed much broader, potentially encompassing all violations under Part 1. The CPPA should also be amended to include provisions similar to the UK Data Protection Act whereby, when appropriate, the Commissioner could give an organization an enforcement notice, clarifying the nature of a violation, before proceeding to the recommendation or the imposition of a penalty. We also make various recommendations related to the factors to consider when recommending that a penalty be imposed and whether AMPs could be recommended for organizations in compliance with a certification program.	The OIPC’s recommendations strongly align with ours.
8	Compliance Agreements The Commissioner can enter into a compliance agreement with an organization if, in the course of an investigation, the Commissioner believes on reasonable grounds that the organization has, is about to, or is likely to contravene the Act.	The OIPC recommends that PIPA be amended to enable the Commissioner to enter into a compliance agreement with an organization on such terms as the Commissioner considers appropriate, with enforcement by the court in cases of non-compliance.	In our submission we convey the view that compliance agreement scheme could be improved by amending the CPPA to permit: The resolution of inquiries through compliance agreements; The registration of compliance agreements with the court, making them equivalent to an order of the court; and, The addition of the payment of AMPs and all other negotiated measures as possible terms within compliance agreements.	The OIPC’s recommendations are consistent with ours, though ours are more granular. This difference likely reflects both the absence of compliance agreements in PIPA, and our own experience with them, coupled with the need to consider their interaction with other proposed new enforcement measures in the Bill.
9	Improving Regulatory Information Sharing and Cooperation The OPC can disclose certain information to our international counterparts.	The OIPC recommends that PIPA be amended to explicitly enable the Commissioner to enter into information-sharing and cooperation agreements with foreign privacy regulators.	The CPPA grants the OPC the authority to disclose information to international institutions. Our submission emphasizes the importance of this work. Our recommendations relate only to our collaboration with domestic institutions.	The OIPC’s recommendation is consistent with our emphasis on the importance of working with international regulators.
10	Enhancing/Clarifying Oversight Powers Relevant provisions: Commissioner may initiate complaint, s 82(2) Compliance Orders: s 92(2)	The OIPC recommends that the Commissioner’s enforcement powers be “completely revamped” to align with FIPPA. At a minimum, PIPA should be amended to: remove the “reasonable grounds” threshold for Commissioner-initiated audits or investigations; to clarify the Commissioner’s order-making power in Commissioner-initiated investigations; and to enable the Commissioner to file orders in court. The OIPC states that the proposals in the CPPA will strengthen the federal oversight framework (with the noted exception of the creation of the Tribunal).	We strongly recommend the removal of the “reasonable grounds” threshold for initiating investigations. On the OPC’s order-making powers, we recommend striking a phrase which enacts that orders can only be taken “to the extent that it is reasonably necessary to ensure compliance with this Act”, which does not exist in PIPA. We also recommend a paragraph be added to permit the OPC to order an organization to “take measures which allow individuals to be compensated for damages suffered, financial or otherwise, stemming from a breach or violation of security safeguards required by law.”	The OIPC’s recommendation on the “reasonable grounds” threshold for initialing an investigation strong aligns with ours.
11	Clarifying PIPA’s relationship with PIPEDA	The OIPC recommends amending PIPA to harmonize with Alberta’s PIPA, by repealing the restriction of PIPA’s application where PIPEDA applies.	This is not addressed in our submission.	n/a
12	Legal Privilege and Individual’s Access	The OIPC is responding to recommendations provided by the Canadian Bar Association (BC Branch) and the Law Society of BC to amend PIPA to oust the Commissioner’s role in deciding, under court oversight, if an organization’s claim of solicitor client privilege has been established. The OIPC recommends not making such amendments. Nor should the Commissioner’s ability to view allegedly privileged records where absolutely necessary be removed.	The OPC recommends that C-11 be amended to, at least in the case of access complaints where privilege is being claimed, allow us to request and receive information subject to solicitor-client privilege to assess claims of statutory exemptions in the context of access-related complaints. We note that similar powers are available under BC PIPA.	The OIPC recommendation aligns with ours.